Medical Device Security Challenges and Best Practices
From smartphones and implantable defibrillators, to EHRs and patient portals, healthcare is getting connected through the Internet of (Medical) Things (IoMT). A Markets and Markets report forecasts the global connected medical device market to reach $1.34 billion by 2021, at an annual growth rate of 26 percent. Clearly, caregivers, patients, payers, medical devices, and pharmaceutical companies are becoming a wired ecosystem.
Greater connectivity undoubtedly improves efficiency and patient outcomes. Yet, with the benefits come risks. The more devices and systems, the more data exchanges and the more gaps between security solutions and potential threats.
The proliferation of devices connected by the IoMT gives malicious attackers virtually millions of opportunities to infiltrate healthcare networks. Whether a device is used by a consumer or by a caregiver in a hospital, essential firmware or malware protection updates may be missed—leaving the window wide open for a data breach.
The size of the threat
Healthcare data breaches occurred at the rate of one per day in 2016, affecting more than 27 million patient records, according to Breach Barometer. On average, 233 days passed before each healthcare data breach was discovered. External wrongdoers were responsible for 27 percent of the data breaches.
Employees can also be a major source of data breaches, whether from deliberate intent or poor security practices. Across all industries, 55 percent of companies experienced a security incident or data breach in 2016 because of a malicious or negligent employee, according to a 2016 Experience Data Breach Resolution and Ponemon Institute report.
Best practices for a medical device security strategy
For an overtasked IT team, addressing security is often reactive rather than proactive. One reason is that the job has become increasingly complex with the exponential growth in the number of devices and endpoints in hospitals and healthcare systems. 65 percent of organizations across all industries use between six and 50 security products—and the more products and devices, the greater the risk of gaps and overlaps.
However, all is not lost. A healthcare IT team can take a few key steps to address the challenges and mitigate the risk of a data breach.
The first step is a cybersecurity assessment that focuses on identifying security gaps, especially where electronic protected health information (ePHI) may be at risk. Then, you'll need to update your cybersecurity roadmap to close the gaps.
For that purpose, we recommend the following specific best practices outlined in our medical device security guide. Inside you'll find eight key best practices for securing your organization's medical devices from today's increasingly detrimental cyberattacks including how to:
- Maintain ongoing cybersecurity governance
- Adopt federal recommendations for healthcare cybersecurity
- Align procurement practices with security policies
- Keep security patches and operating systems up to date
- Segment your networks
- Monitor your wireless network airspace
- Implement advanced endpoint protection
- Enlist employees